Network Access Controls (NAC) are widely used to provide endpoint security typically complementing existing application-based security controls. NAC security mechanisms, for instance firewalls, are routinely prescribed as requirements for compliance to security standards such as PCI-DSS and ISO 27000. However, the effectiveness of a NAC configuration may be hampered by poor understanding and/or management of the overall security configuration, which may in turn, unnecessarily expose the enterprise to known security threats. New threats and/or service requirements often result in firefighting by ad-hoc modification to an already large and complex configuration. This complexity is further compounded by the diverse range of NAC mechanisms used to secure an enterprise; ranging from firewalls and proxies to NAC-style controls within applications themselves. As a consequence, it can be difficult to ensure that the current NAC configuration is effective, that is, it sufficiently mitigates threats while providing necessary access to services. Ensuring ongoing best-practice NAC administration can be costly as it requires up to date expert knowledge in a rapidly changing field.

We use Ontology Engineering techniques to provide expert and automated support for the management of NAC configurations. A knowledge base is being developed that contains detailed prescriptions for NAC configurations that are compliant with security standards and best practices. These catalogues of best practice describe how known threats are mitigated by NAC configurations and are continually updated to reflect newly discovered vulnerabilities and revisions to best practice.

This work grew from a sabbatical at IBM, and the project was supported by Science Foundation Ireland, as part of FAME.